Last Updated on October 26, 2022 by InfraExam
CISM : Certified Information Security Manager : Part 63
The advantage of sending messages using steganographic techniques, as opposed to utilizing encryption, is that:
- the existence of messages is unknown.
- required key sizes are smaller.
- traffic cannot be sniffed.
- reliability of the data is higher in transit.
The existence of messages is hidden when using steganography. This is the greatest risk. Keys are relevant for encryption and not for steganography. Sniffing of steganographic traffic is also possible. Option D is not relevant.
As an organization grows, exceptions to information security policies that were not originally specified may become necessary at a later date. In order to ensure effective management of business risks, exceptions to such policies should be:
- considered at the discretion of the information owner.
- approved by the next higher person in the organizational structure.
- formally managed within the information security framework.
- reviewed and approved by the security manager.
A formal process for managing exceptions to information security policies and standards should be included as part of the information security framework. The other options may be contributors to the process but do not in themselves constitute a formal process.
There is reason to believe that a recently modified web application has allowed unauthorized access. Which is the BEST way to identify an application backdoor?
- Black box pen test
- Security audit
- Source code review
- Vulnerability scan
Source code review is the best way to find and remove an application backdoor. Application backdoors can be almost impossible to identify’ using a black box pen test or a security audit. A vulnerability scan will only find “known” vulnerability patterns and will therefore not find a programmer’s application backdoor.
Simple Network Management Protocol v2 (SNMP v2) is used frequently to monitor networks. Which of the following vulnerabilities does it always introduce?
- Remote buffer overflow
- Cross site scripting
- Clear text authentication
- Man-in-the-middle attack
One of the main problems with using SNMP vl and v°2 is the clear text “community string” that it uses to authenticate. It is easy to sniff and reuse. Most times, the SNMP community string is shared throughout the organization’s servers and routers, making this authentication problem a serious threat to security. There have been some isolated cases of remote buffer overflows against SNMP daemons, but generally that is not a problem. Cross site scripting is a web application vulnerability that is not related to SNMP. A man-in-the-middle attack against a user datagram protocol (UDP) makes no sense since there is no active session; every request has the community string and is answered independently.
Which of the following is the FIRST phase in which security should be addressed in the development cycle of a project?
- Application security testing
Information security should be considered at the earliest possible stage. Security requirements must be defined before you enter into design specification, although changes in design may alter these requirements later on. Security requirements defined during system implementation are typically costly add-ons that are frequently ineffective. Application security testing occurs after security has been implemented.
Which of the following is the MOST important consideration when deciding whether to continue outsourcing to a managed security service provider?
- The business need for the function
- The cost of the services
- The vendor’s reputation in the industry
- The ability to meet deliverables
Which of the following BEST ensures timely and reliable access to services?
- Recovery time objective
Which of the following would be MOST effective in ensuring that information security is appropriately addressed in new systems?
- Internal audit signs off on security prior to implementation
- Information security staff perform compliance reviews before production begins
- Information security staff take responsibility for the design of system security
- Business requirements must include security objectives
An information security manager learns that a departmental system is out of compliance with the information security policy’s password strength requirements. Which of the following should be the information security manager’s FIRST course of action?
- Submit the issue to the steering committee for escalation
- Conduct an impact analysis to quantify the associated risk
- Isolate the non-compliant system from the rest of the network
- Request risk acceptance from senior management
Senior management has approved employees working off-site by using a virtual private network (VPN) connection. It is MOST important for the information security manager to periodically:
- perform a cost-benefit analysis
- review firewall configuration
- review the security policy
- perform a risk assessment
Attacks using multiple methods to spread should be classified:
- each time the exposure is experienced
- depending on the method used to spread
- at the highest potential level of business impact
- using multiple classifications for each impact
A semi-annual disaster recovery test has been completed. Which of the following issues discussed during the lessons learned phase should be of GREATEST concern?
- A server used in recovery did not have the latest security patches
- Application testing was completed by system administrators
- Poor network performance was reported during recovery
- Some restored systems were not listed in the DNS table of the DR subnet
Which of the following is MOST difficult to achieve in a public cloud-computing environment?
- Cost reduction
- Pay per use
- On-demand provisioning
- Ability to audit
An organization has implemented an enhanced password policy for business applications which requires significantly more business unit resource to support clients. The BEST approach to obtain the support of business unit management would be to:
- present an analysis of the cost and benefit of the changes
- discuss the risk and impact of security incidents if not implemented
- present industry benchmarking results to business units
- elaborate on the positive impact to information security
Ensuring that an organization can conduct security reviews within third-party facilities is PRIMARILY enabled by:
- service level agreements (SLAs)
- acceptance of the organization’s security policies
- contractual agreements
- audit guidelines
Which of the following will protect the confidentiality of data transmitted over the Internet?
- Message digests
- Network address translation
- Encrypting file system
- IPsec protocol
The business advantage of implementing authentication tokens is that they:
- provide nonrepudiation
- reduce overall cost
- improve access security
- reduce administrative workload
A contract bid is digitally signed and electronically mailed. The PRIMARY advantage to using a digital signature is that:
- the bid and the signature can be copied from one document to another
- the bid cannot be forged even if the keys are compromised
- the signature can be authenticated even if no encryption is used
- any alteration of the bid will invalidate the signature
An organization has purchased a security information and event management (SIEM) tool. Which of the following is MOST important to consider before implementation?
- Reporting capabilities
- The contract with the SIEM vendor
- Controls to be monitored
- Available technical support
Which of the following BEST enables an information security manager to communicate the capability of security program functions?
- Security architecture diagrams
- Security maturity assessments
- Vulnerability scan results
- Key risk indicators (KRIs)